Bug #54158 | mysql doesn't support chained SSL certificates properly | ||
---|---|---|---|
Submitted: | 1 Jun 2010 20:09 | Modified: | 14 Jun 2022 21:05 |
Reporter: | [ name withheld ] | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Compiling | Severity: | S4 (Feature request) |
Version: | 5.1.47 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | Contribution |
[1 Jun 2010 20:09]
[ name withheld ]
[5 Apr 2011 22:50]
Jan Ksta
I confirm that. 5.5.10 MySQL yassl build still does not support fetching intermediate ca-s to the client.
[6 Aug 2013 16:01]
Rodney Beede
Does the text in (http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html) ("6.3.9.4. SSL Command Options" of "MySQL 5.6 Reference Manual": [BEGIN QUOTE] MySQL distributions built with OpenSSL support the --ssl-capath option. Distributions built with yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file. Then specify the new file as the value of the --ssl-capath option. [END QUOTE] Does this mean that yaSSL and OpenSSL can now both be used with complete chains on a MySQL server?
[5 Feb 2018 8:52]
Terje Røsten
Due to removal of yassl[1], it should be possible to fix this issue in MySQL 8.0. [1]: https://mysqlserverteam.com/mysql-8-0-4-openssl-and-mysql-community-edition/
[5 Feb 2018 15:48]
Daniël van Eeden
I thought YaSSL wasn't going to be removed in 8.0.x. Having OpenSSL as default for both community edition and enterprise edition doesn't change this for those who compile MySQL themselves with YaSSL.
[5 Feb 2018 16:05]
Terje Røsten
Hi Daniël! I am sorry, my mistake, you are right, yassl is present in mysql sources, so problem still remains.
[15 May 2018 12:27]
MySQL Verification Team
https://bugs.mysql.com/bug.php?id=80698 marked as duplicate of this one.
[16 Oct 2019 7:39]
Daniël van Eeden
As YaSSL and WolfSSL support is now gone I think it is time to close this bug (providing it is fixed by using OpenSSL)
[22 Oct 2019 15:43]
John Casebolt
As of 22 October 2019, it looks like the remaining OpenSSL code on (at least) the 5.7 branch has not been updated to leverage certificate chains: https://github.com/mysql/mysql-server/blob/5.7/vio/viosslfactories.c Due to this, I can only validate my server certificate to the first intermediate in my chain when using MySQL Connector/J.
[14 Jun 2022 21:05]
Philip Olson
Posted by developer: Fixed as of the upcoming MySQL Server 8.0.30 release, and here's the proposed changelog entry from the documentation team: Extended support for chained SSL certificates. Thank you for the bug report. The --ssl-cert documentation was also updated to reflect this change.